GB-OS FIREWALL SOFTWARE
Author: Global Technology Associates, Inc.
Product: GB-OS version 5.0.2
Date: 12 December 2007
GB-OS version 5.0.2 includes updated versions of the following GTA
products and utilities:
Release notes are located on the installation CD and on GTA's web site.
For more about upgrading related software, see individual product
Release Notes sections are categorized first by feature addressed, then
by the type of change.
1. INSTALL NOTES
6. SECURITY POLICIES
8. THREAT MANAGEMENT
11. OPERATING SYSTEM
12. RELEASE NOTES HISTORY
1. INSTALL NOTES
1.1 Corrupt Names and Descriptions
GB-OS 5.0 uses the UTF-8 character set, wherein the past previous
versions of GB-OS allowed administrators to select the character
set according to their locale. Before upgrading to GB-OS 5.0, it is
necessary to match your web browser's character set with the
character set used by GB-OS. In GB-OS 3.x, the default character
set is selected at Basic Configuration>Preferences. In GB-OS
4.0, the default character set is selected at
1.2 Entering New Activation Codes
If upgrading from 4.0.5 or below, new activation codes must be
entered. GB-OS version 5.0.2 is available at no charge to
customers with a GTA support contract or annual maintenance
agreement. Other users should contact their local GTA channel
partner or email firstname.lastname@example.org for information and pricing of
1.3 Upgrading From GB-OS 3.4.0 Through GB-0S 4.0.2
If upgrading from GB-OS 3.4 through GB-OS 4.0.2, it is necessary
to first upgrade to an interim version of GB-OS before
installing GB-OS 5.0. For upgrade instructions, refer to
Reference D in the GB-OS User's Guide.
1.4 Upgrading Hard Drive GB-Ware Installations from 3.4.x to 5.0.2
When upgrading a hard drive GB-Ware firewall from version 3.4.x
1. Back up the firewall configuration.
2. Reinstall the firewall software completely from the CD.
3. Restore the configuration.
The GB-Ware CD image (ISO-9660) is available for download from
GTA's Online Support Center
(https://www.gta.com/support/center/login/). Failure to reinstall
from CD may cause hard drive geometry errors that prevent the
1.5 Upgrade Notes
1.5.1 Error Messages Upon Initial Reboot
Upon rebooting after successful installation, the GTA
Firewall UTM Appliance may display errors when accessed
using the Web interface. This is expected, these errors are
generated because the browser's cache is trying to access
files and locations that no longer apply. Click OK to any
displayed errors and refresh the browser window to access
GB-OS 5.0. If the error messages persist, clear your
1.5.2 Default Login and Password Changes
Firewall administrators who have never changed their default
login and password in the Admin Accounts section of GB-OS
3.x will find that their default account's login information
will no longer work with GB-OS 5.0. After the firewall
administrator has upgraded to GB-OS 5.0, their login and
password will both default to "fwadmin".
1.5.3 GB-250 Upgrade Notice
GB-250 Firewall UTM Appliances may reboot multiple times,
and may install GB-OS 5.0 on both memory slices during the
upgrade process. It is important that administrators DO NOT
shut down their firewall when upgrading to GB-OS 5.0. If
GB-OS 5.0 is installed on both memory slices, it will not be
possible to revert back to the previously installed version
1.5.4 GB Commander 1.1 No Longer Supported
GTA Firewall UTM Appliances operating GB-OS 5.0 do not
support GB Commander 1.1. As such, GB Commander 1.1
administrators will no longer be able to monitor firewalls
that have been upgraded to GB-OS 5.0.
Administrators of GTA firewalls monitored by GB Commander
1.1 may either upgrade their firewalls to GB-OS 5.0 and lose
GB Commander support or they may wait until GB Commander 2.0
has been released before they upgrade their firewalls to
1.5.5 VPN Object Names
Previously defined VPN objects will have the GB-OS version
number appended to their name after the GTA firewall has
been upgraded to version 5.0. For example, a VPN object
with a name of IKE in GB-OS 3.7.0 will be named IKE_370
after the upgrade.
1.5.6 Service Group Object Modifications
The built-in DNS Zone service group object has been merged
with the DNS Lookups service group object. Therefore,
configurations that reference the now defunct DNS Zone
service group object will need to be updated to reference
the DNS Lookups service group object.
1.6 Platform Independent Web Interface
GB-OS 5.0 includes a platform independent web interface which
provides an improved workflow, user-friendly design with
enhanced features such as offline configuration and verification
using GB-OS 5.0's Test Mode. GBAdmin is not supported in
GB-OS 4.0 and above.
1.7 SSL Certificate Replacement
GB-OS version 5.0 will install a new default security/SSL
certificate. Some browsers, including Netscape and Mozilla,
will not recognize the new certificate if the original has
never been replaced. If you are unable to log on to the
firewall after upgrading, delete the browser's cached security
certificate, then close and restart your browser before
reattempting remote access to your firewall.
2.1.1 Users without administrative privileges can now export
2.2 Bug Fixes
2.2.1 The inbound option is now correctly set for pass through
hosts/networks when importing a configuration.
2.2.2 The Web interface no longer crashes when XML files
that are not encoded in the UTF-8 file format are
imported into the configuration.
2.2.3 Emailed configurations in both HTML and ZIP format have
an improved display and now include authenticated user
3.1.1 Disabled VLANs and aliases now appear in drop-down
lists when defining and editing address objects.
3.1.2 The Network Time service is now enabled by default, and
uses servers belonging to the NTP Pool Project.
3.1.3 The Network Time service now properly looks up an
NTP server when the external interface uses a dynamic
3.1.4 Network Time Protocol tunnels automatically close
after 20 seconds if a response is received, and after 60
seconds if no response is received.
3.1.5 Timezone information has been updated.
4.1 Bug Fixes
4.1.1 The Authentication screen now correctly saves bind
options and remembers the state of advanced tabs.
4.1.2 Settings configured in the Authentication screen now
properly take effect when saved.
4.1.3 Users configured to use certificates for their mobile
VPN settings no longer fail to authenticate with the
firewall using GBAuth.
4.1.4 A memory leak in the authentication service has been
5.1.1 Gateway policies' beacon TTL (Time To Live) has been
increased from 5 to 30.
5.1.2 An 'Add Static Routes For Beacons' checkbox has been
added under the Advanced tab for Gateway Policies.
5.1.3 GB-OS now uses a VLAN's ID when creating an internal
VLAN device name.
5.1.4 GB-OS now creates VLAN interfaces as 'vlan#', where '#'
corresponds to the VLAN interfaces' ID.
5.2 Bug Fixes
5.2.1 PPPoE interfaces with an on-demand PPP connection type
now function properly.
5.2.2 GB-OS no longer fails to re-authenticate with a Digital
Subscriber Line Access Multiplexer (DSLAM) using a PPPoE
5.2.4 GB-OS no longer attempts to use configured gateways
that have been disabled.
5.2.5 GB-OS now correctly removes gateways when deleted from
5.2.6 DHCP clients associated with configured VLANs are now
properly stopped when the VLAN is disabled.
5.2.7 VLAN IDs with more than three digits are no longer
6. SECURITY POLICIES
6.1 Bug Fixes
6.1.1 Previously configured security policies that use VLAN
interfaces now properly function if the security policy
is edited and saved.
6.1.2 Security policies and inbound tunnels with IPS and TCP
SYN Cookies enabled no longer generate unnecessary
latency between connections.
6.1.3 The Automatic Policies toggle on the Security Policies
Preferences screen now also enables or disables
automatic policies for IPSec and inbound tunnels.
7.1.1 GB-OS now reports "Unable to open configuration" when
an H2A update is performed and the slave H2A firewall is
7.1.2 The DHCP server has been updated.
7.1.3 GB-OS now uses GTA's object identifier (OID) when
generating SNMP traps.
7.2 Bug Fixes
7.2.1 A memory leak in the Firewall Control Center service
has been resolved.
7.2.2 GB-OS now verifies that DNS servers configured for the
DNS proxy are remote IP addresses.
8. THREAT MANAGEMENT
8.1.1 Surf Sentinel now provides improved handling of SSL
8.1.2 Mail Sentinel log messages have been improved.
8.1.3 The IPS engine and policies have been updated.
8.2 Bug Fixes
8.2.1 GB-OS Mail Sentinel Anti-Spam and Mail Sentinel
Anti-Virus licenses now remain valid if GTA servers
cannot be reached.
8.2.2 The number of available IPS policies is now properly
displayed when no IPS policies are enabled.
8.2.3 IPS now protects packets passed to Surf Sentinel to
prevent system crashes.
8.2.4 GB-OS no longer crashes when Surf Sentinel processes a
9.1 New Features
9.1.1 The percentage of available security associations used
is now displayed in the Monitor>Activity>VPN>IPSec
Tunnels and and Monitor>System>Overview screens.
9.2 Bug Fixes
9.2.1 Advanced tabs are now properly displayed when
navigating between defined IPSec tunnels.
9.2.2 Mobile users that have authenticated with GB-OS using
VPN certificates are now identified in the Monitoring
9.2.3 GB-OS now correctly calculates security associations
configured by GTA Mobile VPN Clients.
9.2.4 GB-OS now supports multiple subnets when using the GTA
Mobile VPN Client.
10.1 Bug Fixes
10.1.1 Automatic policies created by inbound tunnels that use
port redirection are now properly displayed in the
10.1.2 The time to expire for a DHCP lease is now correctly
10.1.3 GB-OS no longer displays IPS information in the
Monitor>Activity>Threat Management screen for firewalls
that do not support IPS.
11. OPERATING SYSTEM
11.1 New Features
11.1.1 Support for resetting the configuration to factory
defaults has been added by using the reset button for
the GB-250 Firewall UTM Appliance Family.
11.1.2 Support has been added for USB to serial adapters. The
following adapters are compatible with GTA Firewall UTM
Appliances: iConnnect model #3312 and IOGEAR model
11.1.3 GB-OS now includes Dutch localization.
11.1.4 GB-OS now includes enhanced monitoring of active TCP
connections for valid reset packets.
11.1.5 Support added for the GB-250 Rev B Firewall UTM
11.2.1 Verification of configuration settings has been
GBOS5020004694, GBOS5020004603, GBOS5020004292,
GBOS5020004749, GBOS5020001443, GBOS5020003749,
11.2.2 Support has been added for FTP connections using SSL.
11.2.3 GB-OS now verifies that all characters entered into
the configuration are valid UTF-8 characters.
11.4 Bug Fixes
11.4.1 GB-OS no longer reboots the system when configured to
log policy blocks and a DoS attack of TCP FIN and TCP
ACK packets is received.
11.4.3 GB-OS now properly sends SNMP traps when configured to
11.4.4 GB-OS now correctly identifies email addresses when
the address begins with a digit.
11.4.5 GB-Ware firewalls with an unrestricted user license no
longer fail to update when new policies are pushed to
the system by GB Commander 2.0.
12. RELEASE NOTES HISTORY
12.1 Previous Release Notes
These notes cover the 5.0.2 release of GB-OS. Release notes
for previous versions can be found at GTA's web site,
Global Technology Associates, Inc.
3505 Lake Lynda Drive, Suite 109
Orlando, Florida 32817